Failure to configure Wireguard device via systemd-networkd on Google Compute Engine VM

Question

Debian Buster image on a Google Compute Engine VM, and I have this systemd-networkd config placed at /etc/systemd/network/wg0.netdev to configure a Wireguard device:

[NetDev]
Name=wg0
Kind=wireguard

[WireGuard]
PrivateKey = XXXXX
ListenPort = 51820

[WireGuardPeer]
Endpoint = XXXXX:51820
PublicKey = XXXXX
AllowedIPs = XXXXX/32
AllowedIPs = XXXXX/24

When starting the systemd-networkd service, I get this error:

Starting Network Service...
Failed to generate predictable MAC address for wg0: No such file or directory
Could not load configuration files: No such file or directory
systemd-networkd.service: Main process exited, code=exited, status=1/FAILURE

What's odd is:

1. I can bring up the wg0 interface successfully on the GCP server by configuring it manually instead of via systemd
2. I can use the above systemd-networkd config on other provider VMs (tested Vultr and local Vagrant) successfully

So the error only happens with the specific combination of using systemd-networkd config on a GCP server.

I'm using the exact same Linux kernel and Wireguard versions on all the servers. If it's a GCP-specific configuration, I can't seem to find any related documentation on it.

Answer 1

I've checked Wireguard on GCE VM with Ubuntu 18.04 and it runs without any issues.

Please find my steps below:

1. create VM instance based on Ubuntu 18.04

$ gcloud compute instances create instance-1 --machine-type=e2-medium --can-ip-forward --tags=vpn --image=ubuntu-1804-bionic-v20201111 --image-project
=ubuntu-os-cloud

2. create firewall rule:

$ gcloud compute firewall-rules create to-vpn --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=udp:51820 --source-ranges=0.0.0.0/0 --target-tags=vpn

3. install wireguard-tools:

$ gcloud compute ssh instance-1
instance-1:~$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
instance-1:~$ sudo apt update
instance-1:~$ sudo apt upgrade
instance-1:~$ sudo apt install wireguard-tools

4. generate server keys:

instance-1:~$ umask 077; wg genkey | tee privatekey | wg pubkey > publickey
instance-1:~$ sudo cat privatekey 
2PSZW0mLV5YYE0oPBTKtOuZoQHYCIsoEg8KBcLdL+FY=

5. generate server config:

instance-1:~$ sudo cat /etc/wireguard/wg0.conf
[Interface]
Address = 10.156.0.17
MTU = 1440
ListenPort = 51820
PrivateKey = 2PSZW0mLV5YYE0oPBTKtOuZoQHYCIsoEg8KBcLdL+FY=

6. enable and start service:

instance-1:~$ sudo systemctl enable wg-quick@wg0
instance-1:~$ sudo systemctl start wg-quick@wg0
instance-1:~$ sudo systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/wg-quick@.service; indirect; vendor preset: enabled)
   Active: active (exited) since Mon 2020-11-16 16:42:07 UTC; 10s ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 4937 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 Main PID: 4937 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4671)
   CGroup: /system.slice/system-wg\x2dquick.slice/wg-quick@wg0.service

Nov 16 16:42:07 instance-1 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Nov 16 16:42:07 instance-1 wg-quick[4937]: [#] ip link add wg0 type wireguard
Nov 16 16:42:07 instance-1 wg-quick[4937]: [#] wg setconf wg0 /dev/fd/63
Nov 16 16:42:07 instance-1 wg-quick[4937]: [#] ip -4 address add 10.156.0.17 dev wg0
Nov 16 16:42:07 instance-1 wg-quick[4937]: [#] ip link set mtu 1440 up dev wg0
Nov 16 16:42:07 instance-1 systemd[1]: Started WireGuard via wg-quick(8) for wg0.

7. check status of the service:

instance-1:~$ sudo wg
interface: wg0
  public key: 4sLXXmfK8Llr84wzoy8vfV3B0lV0w/RlR94YPnAbYS4=
  private key: (hidden)
  listening port: 51820
instance-1:~$ sudo ip a show wg0
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.156.0.17/32 scope global wg0
       valid_lft forever preferred_lft forever

8. reset VM instance and check status:

instance-1:~$ sudo systemctl status systemd-networkd
● systemd-networkd.service - Network Service
   Loaded: loaded (/lib/systemd/system/systemd-networkd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2020-11-16 16:54:52 UTC; 7min ago
     Docs: man:systemd-networkd.service(8)
 Main PID: 751 (systemd-network)
   Status: "Processing requests..."
    Tasks: 1 (limit: 4671)
   CGroup: /system.slice/systemd-networkd.service
           └─751 /lib/systemd/systemd-networkd

Nov 16 16:54:52 instance-1 systemd-networkd[751]: ens4: IPv6 successfully enabled
Nov 16 16:54:52 instance-1 systemd-networkd[751]: lo: Link is not managed by us
Nov 16 16:54:52 instance-1 systemd-networkd[751]: ens4: Link UP
Nov 16 16:54:52 instance-1 systemd-networkd[751]: ens4: Gained carrier
Nov 16 16:54:52 instance-1 systemd-networkd[751]: ens4: DHCPv4 address 10.156.0.17/32 via 10.156.0.1
Nov 16 16:54:52 instance-1 systemd-networkd[751]: Not connected to system bus, not setting hostname.
Nov 16 16:54:53 instance-1 systemd-networkd[751]: ens4: Gained IPv6LL
Nov 16 16:54:53 instance-1 systemd-networkd[751]: ens4: Configured
Nov 16 16:55:01 instance-1 systemd-networkd[751]: wg0: Link UP
Nov 16 16:55:01 instance-1 systemd-networkd[751]: wg0: Gained carrier
$ sudo systemctl status wg-quick@wg0
● wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0
   Loaded: loaded (/lib/systemd/system/wg-quick@.service; indirect; vendor preset: enabled)
   Active: active (exited) since Mon 2020-11-16 16:55:01 UTC; 8min ago
     Docs: man:wg-quick(8)
           man:wg(8)
           https://www.wireguard.com/
           https://www.wireguard.com/quickstart/
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
           https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
  Process: 1115 ExecStart=/usr/bin/wg-quick up wg0 (code=exited, status=0/SUCCESS)
 Main PID: 1115 (code=exited, status=0/SUCCESS)

Nov 16 16:55:01 instance-1 systemd[1]: Starting WireGuard via wg-quick(8) for wg0...
Nov 16 16:55:01 instance-1 wg-quick[1115]: [#] ip link add wg0 type wireguard
Nov 16 16:55:01 instance-1 wg-quick[1115]: [#] wg setconf wg0 /dev/fd/63
Nov 16 16:55:01 instance-1 wg-quick[1115]: [#] ip -4 address add 10.156.0.17 dev wg0
Nov 16 16:55:01 instance-1 wg-quick[1115]: [#] ip link set mtu 1440 up dev wg0
Nov 16 16:55:01 instance-1 systemd[1]: Started WireGuard via wg-quick(8) for wg0.
instance-1:~$ sudo wg
interface: wg0
  public key: 4sLXXmfK8Llr84wzoy8vfV3B0lV0w/RlR94YPnAbYS4=
  private key: (hidden)
  listening port: 51820
instance-1:~$ sudo ip a show wg0
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.156.0.17/32 scope global wg0
       valid_lft forever preferred_lft forever

In addition, please have a look at 3rd party guide for newer versions of Ubuntu here.

Answer 2

Since my original report, it appears the issue has been resolved, either in GCP's images, or in systemd itself. It's working fine now.